FBI officials say laptop farms are a crucial way North Korean IT teams trick U.S. companies into believing their remote workers are in the U.S. — providing both a physical address to mail laptops to and a U.S. internet connection. Once equipped with certain remote access software and tools, workers can log into those laptops remotely.
So far, at least 10 alleged U.S.-based facilitators have been federally charged, including one active-duty member of the U.S. Army, for their alleged roles in hosting laptop farms, laundering payments and moving proceeds through shell companies. At least six other alleged U.S. facilitators have been identified in court documents but not named.
In one instance, an American citizen, Kejia “Tony” Wang, traveled to China in 2023 to meet with co-conspirators and IT workers in Shenyang and Dandong, according to court documents. Laptops from over 100 U.S. companies, including a California-based defense contractor, were sent to Wang, who also set up shell companies to help route wages earned overseas. Wang pleaded guilty to charges related to wire fraud, money laundering and identity theft and is awaiting sentencing next month.
“We believe there are many more hundreds of people out there who are participating in these schemes,” said Rozhavsky, the FBI assistant director. “They could never pull this off if they didn’t have willing facilitators in the U.S. helping them.”
Once illicit money has been earned, it needs to be consolidated and converted to government-issued currency. North Korean teams typically rely on a maze of Chinese networks to launder it, according to industry reports.
“Every bad guy you can think of is using Chinese money launderers. Now, this is how money moves internationally,” said Nick Carlsen, senior investigator on the global investigations team at the blockchain analytics company TRM Labs and a former intelligence analyst at the FBI focused on North Korea.
Since Kim Jong Un took power in 2011, North Korea has honed and expanded a portfolio of cybercrime operations beyond IT work — pulling in billions through cryptocurrency thefts including a record $1.5 billion heist last year, according to the FBI. Analysts say these operations have made Kim wealthier and more geopolitically relevant than ever before, validating his long-held view of cyberoperations as an “all-purpose sword.”
In recent years, North Korea’s partnership with Chinese money laundering networks has unlocked a new level of speed and efficiency that North Korean operators had not been able to achieve independently.
“The transformative element is the existence of these superliquid Chinese financial networks,” Carlsen said. “They can absorb a lot of money, convert it and transfer it in whatever domestic currency you want. That’s the big change.”
Most of these intermediaries operate across southern China and Southeast Asia including Myanmar, Hong Kong, Macao and China’s Fujian province — rapidly moving cryptocurrency across blockchains using so-called “mixers” that break stolen funds into smaller pieces to obscure their origin. IT worker proceeds are typically smaller sums and involve fewer intermediaries, said Andrew Fierman, head of national security intelligence at the blockchain tracking company Chainalysis, while the larger crypto heist sums require complex, multilayered laundering chains.
Carlsen noted that funds from both IT worker schemes and crypto heists frequently end up with Chinese brokers tied to organized-crime syndicates. “You see overlaps with pig-butchering scams and with drug cartels,” he said. “These are the same networks absorbing this money.” Cryptocurrencies have made that convergence easier. “It’s the lubricant,” he added. “The oil that allows all these gears to interact with each other.”
The U.S. government has taken some steps to address North Korea’s IT worker scheme, but experts warn the threat is intensifying as workers’ use of AI continues to scale up around the globe.
Cybersecurity analysts say U.S. enforcement tools are struggling to keep pace with the scale and sophistication of Pyongyang’s cyberoperations. Many of the individuals involved operate from countries that lack extradition agreements with the U.S., placing them largely beyond the reach of U.S. law enforcement.
“It’s a whack-a-mole game. It’s virtually impossible to fully disrupt this,” Carlsen said. “It’s just a never-ending process.”
He argues the most effective strategy is to make schemes less profitable by cutting off the regime’s ability to cash out through money laundering organizations.
The U.S. government has ramped up efforts to do that. On Thursday, the Treasury Department sanctioned six individuals and two entities for their roles in DPRK government-orchestrated IT worker schemes, including facilitators based in North Korea, Vietnam, Laos and Spain.
Last fall, federal authorities announced a wave of criminal indictments, forfeitures, sanctions and asset freezes targeting North Korea’s illicit cyber activity.
In October, the Treasury Department severed Cambodia-based Huione Group, a financial-guarantee network, from the U.S. financial system, alleging it laundered billions in illicit proceeds, including at least $37 million in cryptocurrency linked to North Korean operations. Weeks later, eight individuals and two entities, including North Korean bankers and institutions, were sanctioned for laundering funds derived from cybercrime and IT worker fraud schemes.
North Korea, for its part, has denied any wrongdoing.
Last year, following the Department of Justice’s indictment of several North Koreans for their alleged roles in the scheme, the country’s foreign minister condemned U.S. actions as “an absurd smear campaign” targeting the “non-existent ‘cyber threat’ from the DPRK,” the Korean Central News Agency reported.
In response to questions about Chinese nationals’ involvement in the scheme, Chinese Embassy spokesperson Liu Pengyu said, “We oppose false allegations and smears which have no factual ground at all.”
The scheme itself is also becoming more complex. North Korean IT teams are now subcontracting work to developers in Pakistan, Nigeria and India, expanding into fields like customer service, financial processing, insurance and translation services — roles far less scrutinized than software development.
“Unless you have external information, you might not know they’re North Korean,” said Michael Barnhart, who leads nation-state threat intelligence at DTEX. “They’re trying to move themselves into middle management, and it’s working.”
That expansion also means concerns that North Korean workers could cause real-world harm by jeopardizing lives, something Barnhart has seen up close.
In 2021, as part of a wave of attacks on NASA and military bases, a North Korean hacking team infected a Kansas hospital’s computer systems with ransomware, crippling servers and demanding roughly $100,000 in bitcoin to restore their function. The hospital paid. Barnhart helped investigate the hack alongside the FBI, and it was that case that made clear to him the ways in which North Korea’s malicious hacking teams sometimes cooperate with IT teams to support their missions, something that was not widely known at the time.
What he saw was a hacking operator engaged in IT work, including placing other IT workers in jobs. The income from those jobs supported the hacking unit’s primary malware operations to commit computer intrusions against U.S., South Korean and Chinese government or technology victims.
“It started off as revenue generation, but the lines are getting blurrier and blurrier. If the time comes, they’ve got chess pieces inside organizations all over the world — and they’ll start acting from the inside,” he said.
Rozhavsky expressed similar concerns.
“Even if a company gets rid of them, we don’t know what backdoors they could have left for access in the future,” he said. “So it’s definitely a ticking time bomb that could have negative consequences down the line.”
Lawmakers are also seeking stronger defenses. Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., introduced the Protecting America from Cyber Threats Act, which would renew key cybersecurity authorities for another decade and encourage private companies, like Nisos, to share information about cyberthreats with the federal government.
Still, thousands of workers, the driving force of the IT schemes, remain out of reach, the majority of whom are based in China.
“These are the smartest people in North Korea. That’s kind of the tragedy of it,” Carlsen said. “They’ve taken their best and brightest and made them criminals.”
About the Author
Discover more from FRESH BLOG NEWS
Subscribe to get the latest posts sent to your email.
